HomesecurityHackers could access the Instagram account in 10 minutes!

Hackers could access the Instagram account in 10 minutes!

Caution! Instagram recently fixed one critical vulnerability which could have allowed hackers to violate any account without requiring any interaction from targeted users.

Instagram is growing fast becoming the second most popular social media network in the world - after it Facebook- and one of their favorite goals malicious users.


Although they have advanced security mechanisms, larger platforms like the FacebookThe GoogleThe LinkedIn and Instagram is not completely immune to hackers and contains serious vulnerabilities.

Certain vulnerabilities have recently been repaired, some are still in the process of stabilization, and many others are likely to exist but have not yet been found.

Details of this critical vulnerability in Instagram were made public on the internet today, which could - as we mentioned above - to allow a remote attacker to restore it password for any Instagram account and take full control.


It was discovered and reported by the Indian bug bounty hunter Laxman Muthiyah. The vulnerable point was resident in the password recovery mechanism implemented by the mobile version of Instagram.

Η "Password reset" or "password recovery" is a feature that allows users to retrieve access to their account on a website in case they forget their password.

In fact, in Instagram, users receive a six-digit secret password (which expires after 10 minutes) on the mobile number or on email account to prove their identity.

This means that one of the millions of combinations can unlock any Instagram account using brute force attack… but it's not as simple as it sounds, as Instagram has rate-limiting to prevent such attacks.


However, Laxman found that the rate limiting can be bypassed by sending brute force requests from different addresses IP sending simultaneous requests for concurrent processing of multiple attempts.

Parallel sending of requests and the IP rotation allow circumvention of the security measure. The end time of 10 minutes is the key of the constraint mechanism.

«In a real attack scenario, the attacker needs 5000 IP to hurts an account ... it sounds great, but this is really easy if you use a service provider in cloud like her Amazon or Google. It will cost about 150 dollars to perform the full attack through a million codes"Said the researcher.


Laxman also released one proof-of-concept exploit for vulnerability, which has now been corrected by Instagram, and the company redeemed it with $ 30,000 as part of the bounty bug program.

To protect your accounts from many types of attacks on the internet, but also reduce your chances of becoming victims hacking when malicious users are directly attacking vulnerable applications, it is strongly recommended to turn it on two-factor authentication, which could prevent hackers from accessing your accounts.